Manually disabling Duo Security Two-Step Authentication? And what about 'No active workspace found for user'? [SOLVED by reinstalling]

linux
nginx
php71
solved

#1

Hi there! I’ve ‘inherited’ a Pydio installation which has lots of files there (several GBytes), so any answer such as ‘reinstall from scratch’ is of course out of the question. This was originally a Pydio 6 installation which, after much trouble, I managed to upgrade to 8.0.2 without any loss of data. It is currently running under Ubuntu 16.0.4, nginx 1.12.2, PHP 7.1 (7.2 is currently incompatible with Pydio), although I’ve also used Pydio with 7.0 for a long time.

I started with a ‘plain’ HTTP installation, then moved to a self-signed certificate for HTTPS, then moved to a Let’s Encrypt certificate, and finally added Duo Security (Two-Step Authentication) just because I’m quite happy with it.

All was working flawlessly until I revalidated the certificate. For a while the system was unstable (sometimes it would allow to login, sometimes it wouldn’t) but eventually I managed to log back in again. At this point I noticed that Pydio Sync (on macOS) and the Pydio app (on iOS) stopped working: I could swear that it wasn’t affected by Duo Security before, but now it gets authentication errors across all users (admins or not). There was no automated update, so I don’t know what happened.

So while I apparently still had an open session on the web backend, I tried to administratively disable Duo Security. This ought to have worked… but at this time, the backend Javascript started spewing out errors — all related to authentication failures — and for all effects the web backend became ‘blank’. Looking at the JS console I can see now that the authentication errors come from the Duo Security module. I conclude that, in spite of my efforts, I did not manage to shut it down — the backend allegedly failed to disable the Duo Security module because of those auth errors…

Technically I’m now stumped — unable to log in to disable the Duo Security module — but I’m aware of two alternatives. The first would be to use the CLI — it seems to be still operating and bypassing the Duo Security module, at least I can get it to authenticate and see some things happening… but there seems to be no documentation regarding enabling/disabling modules via the CLI.

All I can do is something like this:

php cmd.php -u 'myusername' -p '[my password]' -r 1 -a status
*****************************
Current User is 'myusername'
*****************************
USER: Cannot access to workspace with id/alias 1

I get the same error with whatever command I try and/or repository_id (there are not many), and I’ve used all alternatives — the ‘short’ id (1, 2, 3 etc…), the ‘long’ id (a 32-byte hex sequence), the slug, etc. All finish with the same error. And, as said, I have no clue about how to add/remove modules from the CLI.

The alternative (which I’ve also tried) is to change the database directly, namely, go to table ajxp_plugin_configs, search for the entry for authfront.duosecurity, and make sure that the blob there has a file with

a:1:{s:19:"AJXP_PLUGIN_ENABLED";b:0;}

I even deleted that entry for authfront.duosecurity, hoping that Pydio would ignore it forever, but that didn’t work, either.

Finally, I confirmed that on [PYDIO]/plugins/authfront.duosecurity/manifest.xml I had enabled=false. I believe this managed to get rid of Duo Security, but I cannot confirm without being able to take a look at the web backoffice.

Nevertheless, I still have login issues.

Each time I made a change, I’d go to the cache and type rm plugins_* i18n/en_plugins_messages.ser just to make sure it wasn’t a caching issue, and usually made an attempt from three different browsers (because browsers cache so many things these days…).

There are no suspicious entries on the web server access logs, the calls seem to be all coming in, they just don’t work as before. They sometimes time out and I see some things happening, like getting all of a sudden a login box, but typing the username/password in it will not really make anything (except making the box disappear). In general, however, I just get one of the background pictures for the login. I believe I am logged in (from the perspective of the session cookies) but I don’t ‘see’ anything.

No errors on the JS console. Access logs show the calls all nicely coming in. Nothing on [PYDIO]/data/logs.

On the nginx error logs:

2018/03/12 22:47:27 [error] 10034#10034: *227 FastCGI sent in stderr: "PHP message: Exception was caught but could not be sent: No active workspace found for user! PHP message: ===> Exception details : /var/www/clients/client6/web14/web/core/src/pydio/Core/Http/Rest/RestAuthMiddleware.php on line 80 #0 [internal function]: Pydio\Core\Http\Rest\RestAuthMiddleware::handleRequest(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response), Object(Closure)) #1 /var/www/clients/client6/web14/web/core/src/pydio/Core/Http/Server.php(146): call_user_func_array(Array, Array) #2 /var/www/clients/client6/web14/web/core/src/pydio/Core/Http/Server.php(145): Pydio\Core\Http\Server->nextCallable(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response)) #3 [internal function]: Pydio\Core\Http\Server->Pydio\Core\Http\{closure}(Object(Zend\Diactoros\ServerRequest), Object(Zend\Diactoros\Response)) #4 /var/www/clients/client6/web14/web/core/src/pydio/Core/Http/Server.php(162): call_user_func_array(Object(Closure), Array) #5 /var/www/clients/client6/web14/web/core/src/pydio/Core/Http/Middleware/SapiMiddleware.php(75): Pydio\Core\Http\Server::callNextMiddleWare(O" while reading upstream, client: 81.193.29.206, server: files.betatechnologies.info, request: "GET /api/pydio/state/plugins?format=json&auth_token=TXtfHShoqBmDXDGVrbeJRTId&auth_hash=331bbb532934d4988b3047b7b424f6d11661ea97:940af4a6278bea854b35704244fc06f6ed4584eb8748d82587795674c5ff32a1 HTTP/1.1", upstream: "fastcgi://127.0.0.1:9023", host: "files.betatechnologies.info"

And on the ajxp_log table, I get:

Pydio\Core\Services\AuthService Log In context=WebUI no-repository

Note that the Pydio Sync app writes a lot of log entries such as:

RestAuthMiddleware.php error l.80 message=No active workspace found for user! no-repository

This happens for all users, admins or non-admins.

Googling for No active workspace found for user results basically in nothing; or, rather, the error No active repository found for user. One wonders if this is basically the same error, i.e. somehow Pydio ‘forgot’ what the repository was for all users? Did that happen because I manually disabled Duo (or at least tried to)? How do I set the active directory for each user?

Sadly, whatever answers I could find are for way ancient versions of Pydio, so the tricks shown there do not apply.

Note that the database seems ok, i.e. in table ajxp_user_prefs the repository_last_connected points to the correct repository ID, and permissions, as far as I can get from the database, seem fine as well.

Oh, and yes, I experimented with several browsers, I cleared cookies, and I even deleted the cookie_hash item on ajxp_user_prefs. To no avail: Pydio is still unable to find the ‘active repository’, whatever that might be.

I imagine this must be something easy to fix, since it was just yesterday when I successfully uploaded more than 16 GBytes of data (from very small files to large videos) and all worked flawlessly. Today, after tweaking the SSL certificates for HTTPS, Duo Security simply stops working, and after manually disabling it, login fails by saying it cannot find any ‘active workspace’. So, how can I fix this?

Thanks in advance!


How to manually disable a plugin? (I have no access to web interface) [ANSWERED but did not fix my specific issue]
#2

I gave up on trying to ‘fix’ things — instead, I did a clean reinstall after saving the directories where all the files resided (I backed up the users’ passwords first).

Now it works again, and, for now, I will refrain from using Duo Security before I’m 100% sure it works without breaking things! :joy:


#3